Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
References
Configurations
History
22 Aug 2025, 18:44
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65 - Patch | |
| References | () https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd - Patch | |
| References | () https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:* | |
| First Time |
Starcitizen.tools
Starcitizen.tools citizen |
16 Jun 2025, 12:32
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-12 19:15
Updated : 2025-08-22 18:44
NVD link : CVE-2025-49579
Mitre link : CVE-2025-49579
CVE.ORG link : CVE-2025-49579
JSON object : View
Products Affected
starcitizen.tools
- citizen
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')